1 of 14

VIII International scientific and practical conference �“Applied Information Systems and Technologies in the Digital Society” (AISTDS-2024)

1

Information Security Measures for a Procrastination-Combatting Digital Solution

Valentyna Pleskach, Irma Šileikienė, Romanas Tumasonis,

Yevhenii Topolskov

01.10.2024 Taras Shevchenko National University of Kyiv

2 of 14

Aim of the Research

The Aim is to bridge the gap between application development and robust cybersecurity practices, ensuring that digital solutions are not only effective in addressing human behavioral issues like procrastination but are also secure against both current and potential future cyber threats.

2

3 of 14

Objectives of the Research

  • Analyze Existing Digital Security Frameworks: To assess their applicability to productivity applications, particularly those designed to combat procrastination.
  • Develop Security Requirements: Formulate specific security strategies designed to protect digital solutions from both current and emerging cyber threats.
  • Implement and Evaluate Security Measures: Apply these security measures in a prototype environment and evaluate their effectiveness through systematic testing, refining the approach based on empirical results and user feedback.

3

4 of 14

Information Security

The practice of protecting digital assets from unauthorized access

  • Designed to safeguard digital information and ensure the CIA triad of critical resources

Data,

Networks,

Systems,

Devices

  • Confidentiality,
  • Integrity,
  • Availability

4

5 of 14

Security Threats and Vulnerabilities

  • Malware represents a significant threat, encompassing various forms of malicious software such as viruses, worms, and trojans.
  • Phishing Attacks leverage social engineering to deceive users into divulging sensitive information.
  • Ransomware is a specific type of malware that encrypts a victim's files, demanding payment to restore access.
  • Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks disrupt services by overwhelming systems with a flood of traffic.

5

6 of 14

Security Frameworks and Standards

6

  • ISO/IEC 27001 is one of the most prevalent international standards for information security management systems. The NIST Cybersecurity Framework is used globally to improve cybersecurity across industries.
  • COBIT is a comprehensive framework for IT governance and management. It is designed to be a supportive tool for managers and allows for bridging the gap between technical issues, business risks, and control requirements.

7 of 14

Frameworks Comparison

7

Framework

Focus Area

Key Features

Applicability to Procrastination-Combatting Apps

ISO/IEC 27001

Comprehensive ISMS

Systematic approach, risk management, control implementation

High - versatile for all app types

NIST Cybersecurity

Cybersecurity risk management

Core functions (Identify, Protect, Detect, Respond, Recover), tailored to organizational needs

Medium - ideal for critical infrastructure apps

COBIT

IT governance and management

Aligns IT with business goals, ensures compliance, optimizes resources

Low - more suitable for enterprise IT management

PCI DSS

Payment card data security

Secure data processing, strong access control, network infrastructure security

Medium - essential for apps handling payments

GDPR

Data protection and privacy

Data subject rights, data protection principles, regulatory compliance

High - mandatory for apps used by EU residents

8 of 14

Information and Functionality Architecture

8

9 of 14

Threat Analysis

9

Threat

Impact

Likelihood

Priority

Mitigation Strategy

Spoofing Identity

High

Medium

High

Multi-factor authentication, security awareness training

Tampering with Data

High

Low

Medium

Input validation and parameterized queries, least privilege access controls

Repudiation

Medium

Medium

Medium

Content security policies, sanitize user input to prevent script injection

Information Disclosure

Very High

High

Very High

Advanced encryption, enforce data access policies, conduct continuous monitoring

Denial of Service

Medium

Medium

Medium

Anti-DDoS protections, ensure scalability and redundancy

Elevation of Privilege

Very High

Low

High

Principle of least privilege, regular audits, anomaly detection systems

10 of 14

User and System Interaction Analysis

10

Interaction Type

Description

Data Points

Security Concerns

Mitigation Strategies

Account Creation and Management

Users create accounts and manage profiles

Email, username, password, personal details

Vulnerable to account takeover, and data breaches

Implement CAPTCHA, two-factor authentication (2FA), and rate limiting

Task Management

Users input and manage tasks

Task descriptions, categories, deadlines

Unauthorized access, and data manipulation risks

Use data validation and user authentication to secure access

Social Interaction

Users participate in groups, chat, and challenges

Messages, group memberships, interactions

Harassment, spreading of malware, privacy breaches

Content filtering, user reporting, and blocking mechanisms

Reward System

Users earn and spend points on virtual goods

Points, item purchases, reward history

Exploitation of reward mechanisms, unfair manipulation

Monitor for unusual activity, and validate transactions server-side

11 of 14

Implementing and Evaluating Security Measures for a Prototype

  • Multi-factor authentication (MFA);
  • Data encryption;
  • Compliance with the GDPR.

11

12 of 14

Conclusions

  1. By exploring various security frameworks, threat modeling, and risk management techniques, the assignment provided a thorough theoretical backdrop against which practical security measures can be developed and implemented. It emphasized the importance of robust information security management to safeguard sensitive user data and maintain trust in digital applications. The insights gained serve as the basis for the subsequent practical applications, ensuring a well-informed approach to designing secure digital solutions.
  2. Building on the theoretical knowledge established earlier, this phase applied these concepts to design detailed security requirements for the prototype of a digital solution focused on enhancing productivity through procrastination management. Covering critical aspects of security such as authentication, data privacy, session management, and compliance with legal standards like GDPR, the work not only addressed potential vulnerabilities identified through threat modeling but also set a solid framework for implementing these security features practically. This comprehensive approach ensures that the prototype is not only functional but also secure from various cybersecurity threats.
  3. The final phase brought the theoretical designs and security requirements to life through practical implementation within a digital solution prototype. Detailing the integration of security measures into the prototype demonstrated the feasibility and effectiveness of the security strategies in a simulated real-world environment. This work provided insights into the challenges of implementing security features and offered solutions to enhance user experience without compromising security. Moreover, it showcased how security and functionality can be balanced effectively, paving the way for potential future development and real-world application of the prototype. The conclusion underscored the importance of continuous evaluation and adaptation of security measures to keep pace with evolving technological and threat landscapes.

12

13 of 14

References

  1. Al-Janabi, S., & Al-Shourbaji, I. (2021). Information Security Requirement: The Relationship Between Confidentiality, Integrity and Availability in Digital Social Media. In Information Security Theory and Practice (pp. 289-305). Springer.
  2. California Legislative Information. (n.d.). Civil Code - CIV. Retrieved from https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5
  3. Cisco. (2017, October 3). Securing Cisco IP Telephony Networks. Cisco Press. Retrieved from https://www.ciscopress.com/articles/article.asp?p=2803867&seqNum=4
  4. Daisie Team. (2023, August 7). Cryptography for Mobile App Security: 5 Ways. Daisie. Retrieved from https://blog.daisie.com/cryptography-for-mobile-app-security-5-ways/
  5. EU General Data Protection Regulation (GDPR). (2018). Retrieved from http://www.privacy-regulation.eu/en/
  6. Hajrić, A., Smaka, T., Baraković, S., & Baraković Husić, J. (2020). Methods, methodologies, and tools for threat modeling with case study. Telfor Journal, 12(1).
  7. Hussain, O. K. (2022). The process of risk management needs to evolve with the changing technology in the digital world. Published online: 12 August 2022. Springer Nature.
  8. International Organization for Standardization. (2022). Information technology — Security techniques — Information security management systems — Requirements (ISO/IEC 27001:2022). Retrieved from https://www.iso.org/standard/27001
  9. Khidzir, N. Z., Daud, K. A. M., Ismail, A. R., Ghani, M. S. A. A., & Ibrahim, M. A. H. (2018). Information Security Requirement: The Relationship Between Cybersecurity Risk Confidentiality, Integrity and Availability in Digital Social Media. In Regional Conference on Science, Technology and Social Sciences (RCSTSS 2016) (pp. 229-237). Springer, Singapore.
  10. Kollnig, K., Binns, R., Van Kleek, M., Lyngs, U., Zhao, J., Tinsman, C., & Shadbolt, N. (2021). Before and after GDPR: tracking in mobile apps. Internet Policy Review, 10(4).
  11. OWASP. (2024). Mobile Application Security Verification Standard (MASVS) (Version 2.1.0) [OWASP MASVS]. https://mas.owasp.org/MASVS
  12. OWASP. (n.d.). Mobile App Cryptography. In OWASP Mobile Application Security Testing Guide (MASTG). Retrieved from https://mas.owasp.org/MASTG/General/0x04g-Testing-Cryptography/
  13. Kuzminykh, I., Ghita, B., Sokolov, V., & Bakhshi, T. (2021). Information Security Risk Assessment. Encyclopedia, 1, 602–617. https://doi.org/10.3390/encyclopedia1030050
  14. Lambert, T. (2023). Personal Data Protection in Mobile Apps: Best Practices and Guidelines. Retrieved from https://pdtn.org/personal-data-protection-in-mobile-apps/
  15. National Institute of Standards and Technology. (2024, April 3). NIST Cybersecurity Framework. Retrieved from https://www.nist.gov/itl/smallbusinesscyber/nist-cybersecurity-framework-0
  16. NIST. (2012). Guide for conducting risk assessments (NIST SP 800-30 R1). NIST Special Publication, 800-30 Revision 1.
  17. Personal Data Protection Commission Singapore (PDPC). (2018, January 25). Guide to Basic Data Anonymisation Techniques. Retrieved from https://iapp.org/resources/article/guide-to-basic-data-anonymization-techniques/
  18. Rajasekharaiah, K.M., et al. (2020). Cyber Security Challenges and its Emerging Trends on Latest Technologies. IOP Conference Series: Materials Science and Engineering, 981, 022062.
  19. Rouland, Q., Hamid, B., & Jaskolka, J. (2021). Specification, detection, and treatment of STRIDE threats for software components: Modeling, formal methods, and tool support. Journal of Systems Architecture, 117, 102073.
  20. Tucker, B. (2018, June 21). OCTAVE® FORTE and FAIR Connect Cyber Risk Practitioners with the Boardroom. Retrieved from https://insights.sei.cmu.edu/blog/octave-forte-and-fair-connect-cyber-risk-practitioners-with-the-boardroom/
  21. Thakur, M. (2024). Cyber Security Threats and Countermeasures in Digital Age. Journal of Applied Science and Education (JASE), 04(01), 1-20.
  22. van der Ham, J. (2021). Toward a Better Understanding of “Cybersecurity”. Digital Threats: Research and Practice, 2(3), Article 18

13

14 of 14

QUESTIONS ???

14